From analysis of Smart Protection Network data, we see that a significant part of Internet users who loaded the SSL certificate verification URL of Diginotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and Diginotar received mostly Dutch Internet users, as expected.

These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account.

DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.

Who’s behind the attacks? According to theTor Project, clues were found in one of the certificates, including messages in Farsi:

The text here appears to be be an entry like any other but it is infact a calling card from a Farsi speaker. RamzShekaneBozorg.com is not a valid domain as of this writing.Thanks to an anonymous Farsi speaker, I now understand that the above certificate is actually a comment to anyone who bothers to read between the lines:”RamzShekaneBozorg” is “great cracker“,”Hameyeh Ramzaro Mishkanam” translates to “I will crack all encryption“,”Sare Toro Ham Mishkanam” translates to “i hate/break your head“